Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 3, 2011. Also cited in 108 other reports.
Report ID: SD4X11.02, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent an unauthorized access to Patient A's medical information when a staff person (Staff 1) accessed the computerized medical records without the patient's consent and without valid justification related to his job.Findings:In an interview on 10/3/11 at 10:00 AM, the Director of Regulatory Affairs said Patient A reported to the facility that a facility staff person accessed his medical information. She stated the patient had suspicion about the breach because Staff 1 approached the patient during his clinic appointments between July and August 2011.The facility's report to the Department dated 9/13/11, indicated that on August 25, 2011, a patient alleged that a facility employee accessed his medical record without a business need to do so. This was confirmed on 9/7/2011.A letter sent by the facility to the Department dated 10/11/11, indicated the facility staff (Staff 1) worked for Central Placement in the Department of Admissions and Registration. It stated that during the facility's investigatory meeting, the employee stated that he accessed the patient's medical record for operational purposes and because he was curious to find out if he would need to have the same procedure that the patient had. He stated they were acquaintances and used to be friends. In a telephone interview on 12/12/11 at 1:50 PM, Staff 1 stated his main function on the job was to assign beds but he could also access patient's medical information like demographics (date of birth, address, medical record number and emergency contact), appointment time in and out, reason for the appointment, diagnosis and doctor's recommendations for patient's conditions. He said prior to Patient A's clinic appointment sometime in August 2011, he and Patient A agreed that they will have lunch after his appointment. He said he and Patient A were old friends. He said that he was trying to contact Patient A but he was not answering his phone so he looked in the computer what time he came in and out of the clinic. He said that Patient A had suspected him that he looked at the medical information because he knew about the doctor's appointment. When asked if he accessed Patient A's medical information, he said, "I did look at the doctor's recommendations for his condition because I had the same condition as him." He said he never told Patient A that he looked at his medical record but he admitted to the facility during the investigation regarding the breach.Review of Staff 1's Job Description indicated, "...Bed Control Coordinator duties include procuring the assignment of beds from nursing units for incoming patients, tracking patient flow throughout the hospital, and performing census reconciliation."The employee's action to access the patients' medical information for improper purpose violated Health and Safety Code 1280.15(a) and is therefore subject to the applicable penalty assessment.
Outcome:
Fine imposed and deficiency cited by the California Department of Public Health: Patients' Rights